The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.